Application Server Solutions for Microsoft IIS and ASP.NET
       solutions   products   partners   company   support   downloads         store
BlueDragon Self-Help: FAQ
Back to Search >  Back to Search Results

Faq ID 378
Product BlueDragon, ServletExec
Category Web Server Support
Question What can you tell me about using IWA with IIS?
Answer Here is a collection of facts and observations regarding the use of Integrated Windows Authentication (IWA) with Microsoft's IIS webserver.

IWA will not prompt the client/browser to login whenever that client/browser is running within the same domain as IIS. In that scenario, the login is automatic and behind-the-scenes (i.e. seamless). This fact is evidenced by this IIS forum post.

When you have mulitple authN mechanisms enabled for your IIS website (e.g. IWA *and* Basic), then the IIS webserver will send back a list of all supported (i.e. enabled) mechanisms to the client, and the client will select the "strongest" one that it supports.
So, if you have IWA *and* Basic enabled, and the client supports IWA, then IWA will be used (e.g. NTLM or Kerberos). Only if the client doesn't understand/support IWA would Basic be used. So, "yes", you can have both of them selected, but if the client supports IWA, then it will attempt to use IWA. With IWA, you need to supply a domain name as part of the username (e.g. <domainName>\<userName>).

If you are being prompted to login and yet your attempts to login keep failing, perhaps you need to configure your Internet Explorer [IE] web browser to add the site you're requesting to its security zone as described here.
Essentially what can occur is that IE may decide to not trust certain websites based upon IE's own security settings.
Further details are here.

With IIS 7, Integrated Windows authentication isn't installed by default. As such, you'll need to go to the Add/Remove programs | "Turn Windows Features on or off".
This will bring up a new Server Manager dialog. Click on the Role named "Web Server" and then in the right pane scroll down to the list of Role Services. Look in the list of Role Services for the Heading named "Security". Beneath that heading you should see Role Services named:

  • Basic Authentication
  • Windows Authentication
  • etc...
By default those Role Services are not installed, so go back to the top of the list of Role Services and click Add Role Services...
From there you can check the checkboxes for the specific Authentication Role Services you wish to add. After this completes, close the IIS Manger/Server Manger dialog and bring up a brand new one. That is important. Now in the brand new dialog click on the name of your website and then click on "Authentication" in that IIS group. You should then see that "Windows Authentication" has been added to the list (it would not have been listed there before). Make sure to enable it, as its default value will be "disabled".
In testing, we found that it was not enough to turn on the IWA authentication within IIS. We found that we must also turn off Anonymous Access.

With BDJX 7.0.1,371 the value of Auth_user and Remote_user is simply "Administrator", but with BDJX 7.1.0,373 the values are "<machine name>\Administrator" as in: WIN-1T1ZLEDWXSK\Administrator

It is possible to perform advanced configuration within Firefox by accessing the following URL in a Firefox browser window: about:config

FAQ #65 may also be of interest.



   
company media information terms of use privacy policy contact us